process-reviews

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly ingests reviewer PDFs (auto-discovered from paths like to-sort/*.pdf or correspondence/referee-reviews/...) and the Phase 2 instruction "Read the reviews PDF using the Read tool" requires the agent to parse untrusted, user-generated reviewer text which is then used to drive analysis, prioritization, and strategy decisions, so third‑party content can materially influence behavior.